LDAP
Lightweight Directory Access Protocol
Check if LDAPS was ever correctly configured:
Theory
Some Extensible Match Matching Rules:
1.2.840.113556.1.4.803
True if all bits from the attribute match the value (bitwise AND).
1.2.840.113556.1.4.804
True if any bits from the attribute match the value (bitwise OR).
1.2.840.113556.1.4.1941
Used to provide a method to look up the ancestry of an object and is is limited to filters that apply to the DN.
UserAccountControl
Decode UAC Values
Object-Guids
Convert MS LDAP objectGUID to bytes:
Mitigations
Scan for LDAP Singing and LDAPS Channel Binding:
LDAP Signing & LDAPS Channel Binding
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\
If LdapServerIntegrity is set to 2, LDAP Signing is required:
If LdapEnforceChannelBinding is set to 2, LDAPS Channel Binding is always required:
Tools
RSAT-AD-PowerShell
Install via Capabilities (Windows clients):
Or via Features (Windows servers):
Install via ADModule:
Example Queries
List disabled users (when searching for users use objectCategory + objectClass filters):
Count users, groups and computers:
List users with DoesNotRequirePreAuth set (aka asreproastable):
List accounts with SPN(s) set (aka kerberoastable) and which are also in Protected Users group:
List all groups that j.doe is a member of:
List all groups (including nested groups) that j.doe is a member of:
List members of IT Support group through nested group membership:
List users marked as trusted for delegation (TRUSTED_FOR_DELEGATION UAC value is 524288):
Find the number of users in the Helpdesk OU:
Find all user's whose name starts with John, which are not part of Fired and Contractors OU, and print all groups that they are members of (including nested groups):
Find users with description field filled (one-liner):
Find users with a null password (PASSWD_NOTREQD UAC value is 32):
Create a new domain user account:
List deleted AD objects (AD recycle bin):
ldap3 (Python)
Check if anonymous bind is allowed:
ldap-utils
ldapsearch
Install:
Basic syntax:
Get base naming contexts:
Extract data for the whole domain catalog and then grep your way through:
Or filter out only what you need:
Get Remote Management Users group:
Dump LAPS passwords:
Simple authentication with a plaintext password:
SASL GSSAPI (Kerberos) authentication (there should be both A and PTR DNS records of the DC for this to work):
Analyze large output for anomalies by searching for unique strings:
ldapmodify
An example of removing SPNs and changing dNSHostName (see dNSHostName Spoofing (Certifried)):
windapsearch
Enumerate domain function functional level with LDAP anonymous bind:
Enumerate users in Protected Users group which are also trusted for unconstrained delegation:
Find what OU is the user John Doe part of:
Query LDAP for all domain computer accounts (+ try to resolve their IPs with -r flag) and save results into a csv file:
go-windapsearch
Find user accounts which require smart card authentication (SMARTCARD_REQUIRED UAC value is 262144):
Get password history size in the domain:
Search for service accounts configured for constrained delegation:
Dump all users info:
ldapsearch-ad
Enumerate password policy in the domain:
Run all checks:
gMSADumper
ldeep
Enumerate ACEs of the AdminSDHolder object:
Convert SID to name:
Nmap NSE
LDAPmonitor
ADSpider
SilentHound
Last updated